<p>不要使用<code> HttpServletRequest.getRequestedSessionId()</code>方法：</p>

<h2>不规范代码样例</h2>
<pre>
if(isActiveSession(request.getRequestedSessionId()) ){
  ...
}
</pre>

<h2>更多</h2>
<ul>
<li> <a href="http://cwe.mitre.org/data/definitions/807">MITRE, CWE-807</a> - Reliance on Untrusted Inputs in a Security Decision
</li><li> <a href="http://www.sans.org/top25-software-errors/">SANS Top 25</a> - Porous Defenses
</li><li> <a href="https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management">OWASP Top Ten 2013 Category A2</a> - Broken Authentication and Session Management
</li><li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#SERVLET_SESSION_ID">Untrusted Session Cookie Value</a>
</li></ul>

